1. Field of the Invention
The present invention relates to a client apparatus, and an apparatus and a verification method for verifying a device.
2. Description of the Related Art
It is necessary to verify security of a client apparatus when information communication services are provided to the client apparatus such as a cellular phone, PDA, or a PC.
For example, there has been disclosed a technology which allows a device verification apparatus to investigate security or trustworthiness by utilizing a trusted module in a client apparatus, and a service provider to decide permission of service provisioning based on the investigation result (for example, see Japanese Patent Laid-Open Publication No. 2003-76585). According to this technology, the investigation result contains a list of hash values of a software group disposed in the client apparatus, and digitally signed by the trusted module. The service provider holds the list of valid hash values of the software group in the client apparatus, and compares each hash value with the valid hash value after verification of the signature of the investigation result to check presence of alteration. The service provider can reject service provision to the client apparatus when it detects alteration of certain software or when a hash value of software other than a valid software group is contained. Hence, the service provider can provide services upon verification of the security of the client apparatus.
However, the aforementioned conventional technology doesn't have means for applying a service-specific verification policy to each service and means for deciding permission of provisioning of each service according to the verification result. Thus, it is hard to decide permission of service provision based on verification of operation (behavior) and configuration of the client apparatus because service providers can have service-specific requirements for operation and configuration of client apparatus. Besides, the conventional technology may cause users serious inconvenience because access to all service are prohibited, when abnormality is detected by the verification.
Additionally, the aforementioned conventional technology doesn't have means for checking the security of a verification policy itself. Thus, it is possibility to lose security of the client apparatus and privacy of user by introducing malicious or defective verification policy to the client apparatus.
The present invention has been developed with the foregoing problems in mind, and objects of the invention are to provide a client apparatus, a device verification apparatus and verification method, which guarantee that the client apparatus satisfies the policy of the each service and protect security and privacy of the client apparatus by verification of security of policy itself.